pptp win2k sp4 - error 721 - (650 on 98se)

[scott]

Hi,

When connecting to win2k server (sp4) using pptp from 98se or 2ksp4 clinet i
get error.

- on 2ksp4 clinet its error 721.
- on win 98se its error 650.

I can establish a PPTP connection to other sites.

Setup: 2k clinet is stand alone > router > net > router > firewall >
2kserver.

The following MS article details
http://support.microsoft.com/default.aspx?scid=kb;en-us;810839

Not sure if i fully understand what its taking about.

Anyone else had this problem ?

Thanks
Scott.

 

[scott]

Hi,

This artcile worked thanks.

http://support.microsoft.com/?id=271731

Cheers.
Scott.

 

[Chetan Raghavendra [MSFT]]

Hi Scott,

If you started facing this problem, after installing SP4, you can follow the
KB article to fix the issue.

If the setup was working and the firewall was introduced newly then you
would be required to open up ports:
PPTP - TCP port 1723 and IP Protocol 47 (GRE)
L2TP - UDP 500 and UDP 1701
If you are using L2TP with IPSEC, you would as well open up port for
PROTOCOL 50 ESP (Encapsulating Security Payload)

--
Thanks
Chetan
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[scott]

Reffering to KB 271731 (PPTP clinets cannot connect to a PPTP server......)

- i have 2 nic, one is now removed
- i amended registy to include ValidateAddress on pptp adapters
- i tried this setting at 0 (worked for a while) and later at 1 (incase i
misunderstood)

One line in this article suggested the following:

"to resolve this issue, configure the firewall or the router so that the
source of the PPTP reply packets is the same IP address that the PPTP
clinets use"

I dont understand what this section is saying. How do i configure the SOURCE
of the PPTP reply (my vpn server) to be the same IP address that the clinets
use ?

Thanks
Scott.

 

[scott]

- I uninstalled SP4 from the vpn server (back to sp3) and still cannot
connect from win2k sp4 or win98 se clinet.
- Im trying a fresh install of win2k clinet to see if this helps.
- This win2k clinet can connect ok to other pptp sites.

Im starting to think that installing sp4 on vpn server mean i will need to
change how my firewall works at replying but i dont know what.

thanks
scott.

 

[scott]

FIREWALL REPORTING GRE FOWARD I SENT USING PPTPSERV test from 2000 toolkit.

----------------------------------------------------------------------------
-------------------------------

No. Time Source IP Destination IP Note

1|02/10/2004 12:05:43 99.99.99.99:27511 |192.168.1.199:1723 |ACCESS FORWARD

Firewall rule match: TCP (Wan to Lan, rule:2)

 

[scott]

Got a better test:

NET
v
ROUTER
v
ROUTER > win2k clinet (WS012)
v
FIREWALL
v
RAS SERVER

- The win2k clinet (WS012) on the middle router (DMZ) can ALWAYS establish a
PPTP connection to RAS SERVER.
- This connection passes through the FIREWALL.
- Once this connection has been made all other external PPTP WIN2k clients
can connect.
- After WS012 disconnects and after several mins all external WIN2k that
attempt connection get error 721.

What the heck is going on ?

Thanks for any information at all.
Scott.

 

[scott]

futher testing showed:

win98 on external ip connect ok (firewall report PPTP 1723 + GRE)

win 98 manually disconet, reconnect (frewall report PPTP 1723 only)

Its like GRE was lost during the second connection. IE second time GRE did
not make it as far as the FIREWALL.

Im checking middle ROUTER.